Configuring for External Authentication Servers

You can put several user accounts together to form a user group, which you can store on the local database or on a RADIUS, LDAP, or SecurID server. When you reference an authentication user group and an external authentication server in a policy, the traffic matching the policy provokes an authentication check.

In this example, the access profile called prof_1 is configured for external authentication. Two RADIUS servers and one LDAP server are configured in the access profile. However, the order of authentication specifies RADIUS server only, so if the RADIUS server authentication fails, then the firewall user fails to authenticate. The local database is not accessed.

Note: If the firewall clients are authenticated by the RADIUS server, then the group-membership VSA returned by the RADIUS server should contain alpha, beta, or gamma client-groups in the RADIUS server configuration or in the access profile, prof_1. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored.

To configure a server for external authentication, use either J-Web or the CLI configuration editor.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To specify the RADIUS server for external authentication order using the J-Web configuration editor:

1. Select Configuration>View and Edit>Edit Configuration.

   The Configuration page appears.

2. Next to Access, click Configure or Edit.
3. Next to Profile, click Add new entry.
4. In the Profile name box, type prof1.
5. Next to Authentication order, click Add new entry.
6. From the Value choice list, select radius and click OK.

To configure firewall user (ClientsA-E) and assign firewall users (ClientA and ClientB) to client groups alpha, beta, and gamma:

1. Next to Client, click Add new entry.
2. In the Name box, type ClientA.
3. Next to Client group, click Configure or Edit.
4. In the Value box, type alpha and click OK.
5. To specify another client group, in the Value box, type beta and click OK.
6. To specify another client group, in the Value box, type gamma and click OK.
7. Next to Firewall User, click Configure or Edit.
8. In the Password box, type pwd1 and click OK.
9. Next to Client, click Add new entry.
10. In the Name box, type ClientB and click OK.
11. In the Value box, type alpha and click OK.
12. To specify another client group, in the Value box, type beta and click OK.
13. Next to Firewall User, click Configure or Edit.
14. In the Password box, type pwd3 and click OK.
15. To specify another client, next to Client, click Add new entry.
16. In the Name box, type ClientC and click OK.
17. Next to Firewall User, click Configure or Edit.
18. In the Password box, type pwd4 and click OK.
19. To specify another client, next to Client, click Add new entry.
20. In the Name box, type ClientD and click OK.
21. Next to Firewall User, click Configure or Edit.
22. In the Password box, type pwd5 and click OK.
23. To specify another client, next to Client, click Add new entry.
24. In the Name box, type ClientE and click OK.
25. Next to Firewall User, click Configure or Edit.
26. In the Password box, type pwd2 and click OK.

To configure client groups in the session options:

1. Select Configuration>View and Edit>Edit Configuration.

   The Configuration page appears.

2. Next to Access, click Configure or Edit.
3. Next to Profile, click Add new entry.
4. In the Profile name box, type prof1.
5. Next to Session options, click Configure.
6. In the Value box, type u1 and click OK.
7. To specify another client group, in the Value box, type alpha and click OK.
8. To specify another client group, in the Value box, type gamma and click OK.
9. In the Client idle timeout box, type 255.
10. In the Client session timeout box, type 4 and click OK.

To configure the IP address for the LDAP server and LDAP server options:

1. Next to Ldap options, click Configure or Edit.
2. In the Base distinguished name box, type CN=Users,DC=screenos,DC=spg,DC=juniper,DC=net
3. From the Search type list, select Search.
4. Next to Search, click Configure or Edit.
5. In the Search filter box, type sAMAccountName= and click OK.
6. Select the Admin search check box and click Configure or Edit.
7. In the Distinguished name box, type cn=administrator,cn=users,dc=screenos,dc=spg,dc=juniper,dc=net.
8. In the Password box, type pwd10 and click OK.
9. Next to Ldap server, click Add new entry.
10. In the Name box, type 3.3.3.3 and click OK.

To configure the IP addresses for the two RADIUS servers:

1. Next to Radius server, click Add new entry.
2. In the Address box, type 4.4.4.4 and click OK.
3. In the Secret box, type any unreadable data.
4. In the Retry box, type 10 and click OK.
5. Next to Radius server, click Add new entry.
6. In the Address box, type 5.5.5.5 and click OK.
7. In the Secret box, type any unreadable data.
8. If you are finished configuring the device, commit the configuration.
9. To check the configuration, see Verifying Firewall User Authentication

CLI Configuration

To configure the device for external authentication using a RADIUS server follow these steps:

1. Specify the RADIUS server for external authentication order. This restricts firewall users to authenticate through the RADIUS server only. If the RADIUS server authentication fails and the default password (local database) option is not specified, the firewall user is locked out.

   user@host# set access profile prof_1 authentication-order radius

2. Configure firewall user (ClientsA-E) and assign firewall users (ClientA and ClientB) to client groups alpha, beta, and gamma.

   user@host# set access profile prof_1 client clientA client-group alpha

   user@host# set access profile prof_1 client clientA client-group beta

   user@host# set access profile prof_1 client clientA client-group gamma

   user@host# set access profile prof_1 client clientA firewall-user password pwd1

   user@host# set access profile prof_1 client clientB client-group alpha

   user@host# set access profile prof_1 client clientB client-group beta

   user@host# set access profile prof_1 client clientB firewall-user password pwd3

   user@host# set access profile prof_1 client clientC firewall-user password pwd4

   user@host# set access profile prof_1 client clientD firewall-user password pwd5

   user@host# set access profile prof_1 client clientE firewall-user password pwd2

3. Configure client groups in the session options.

   user@host# set access profile prof_1 session-options client-group u1

   user@host# set access profile prof_1 session-options client-group alpha

   user@host# set access profile prof_1 session-options client-group gamma

   user@host# set access profile prof_1 session-options client-idle-timeout 255

   user@host# set access profile prof_1 session-options client-session-timeout 4

4. Configure the IP address for the LDAP server and LDAP server options.

   user@host# set access profile prof_1 ldap-options base-distinguished-name

   CN=Users,DC=screenos,DC=spg,DC=juniper,DC=net

   user@host# set access profile prof_1 ldap-options search search-filter sAMAccountName=

   user@host# set access profile prof_1 ldap-options search admin-search distinguished-name

   cn=administrator,cn=users,dc=screenos,dc=spg,dc=juniper,dc=net

   user@host# set access profile prof_1 ldap-options search admin-search password pwd10

   cn=administrator,cn=users,dc=screenos,dc=spg,dc=juniper,dc=net

   user@host# set access profile prof_1 ldap-server 3.3.3.3

5. Configure the IP addresses for the two RADIUS servers.

   user@host# set access profile prof_1 radius-server 4.4.4.4

   user@host# set access profile prof_1 radius-server 4.4.4.4 secret

   user@host# set access profile prof_1 radius-server 4.4.4.4 retry 10

   user@host# set access profile prof_1 radius-server 5.5.5.5 secret

6. If you are finished configuring the device, commit the configuration.
7. To check the configuration, see Verifying Firewall User Authentication

Related Topics

•  Firewall User Authentication Overview
•  Understanding Client Groups for Firewall Authentication